Package: spectre-meltdown-checker Version: 0.43-3 Severity: normal Dear Maintainer,
I get two vulnerabilities shown when using spectre-meltdnown-checker for this Skylake system: CVE-2018-3640 aka 'Variant 3a, rogue system register read' * CPU microcode mitigates the vulnerability: NO > STATUS: VULNERABLE (an up-to-date CPU microcode is needed to mitigate this > vulnerability) CVE-2018-3615 aka 'Foreshadow (SGX), L1 terminal fault' * CPU microcode mitigates the vulnerability: N/A > STATUS: VULNERABLE (your CPU supports SGX and the microcode is not up to > date) Both indicate that updated CPU micorcode is needed. However, intel-microcode is installed with version 3.20200616.1 and both https://security-tracker.debian.org/tracker/CVE-2018-3640 and https://security-tracker.debian.org/tracker/CVE-2018-3615 indicate that the vulnerability is fixed with version 3.20200616.1 for bullseye/sid. There is a lot of fuzz about being quantum-safe, but I do not think that they refer to being vulnerable and not being vulnerable at the same time. ;-) So who is right? Is it spectre-meltdown-checker or the security tracker? Or are really both right and there is some information missing (like that it is fixed but only with a UEFI/BIOS update)? Kind regards Patrick -- System Information: Debian Release: bullseye/sid APT prefers testing APT policy: (900, 'testing'), (800, 'stable'), (500, 'unstable-debug'), (400, 'unstable'), (1, 'experimental') Architecture: amd64 (x86_64) Kernel: Linux 5.9.0-1-amd64 (SMP w/4 CPU threads) Kernel taint flags: TAINT_CPU_OUT_OF_SPEC Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8), LANGUAGE=de:en_US Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) -- no debconf information
